segfault in property.getter/setter/deleter if property subclass has weird __new__

[cfbolz]

CPython crashes if run on the following code:

class pro(property):
 def __new__(typ, *args, **kwargs):
 return "abcdef"
class A:
 pass

p = property.__new__(pro)
p.__set_name__(A, 1)
np = p.getter(lambda self: 1)

The crash happens on the last line. The problem is the following code in property_copy:

 new = PyObject_CallFunctionObjArgs(type, get, set, del, doc, NULL);
 Py_DECREF(type);
 if (new == NULL)
 return NULL;

 Py_XSETREF(((propertyobject *) new)->prop_name, Py_XNewRef(pold->prop_name));
 return new;

In the crashing code, new is a string, so casting it to propertyobject and writing to prop_name is wrong.

This is synthetic code, I found the problem while porting some 3.10 features to PyPy and thinking about corner cases.

Linked PRs

• gh-100942: Fix crash on property subtypes with weird __new__ #100955
• GH-100942: Fix incorrect cast in property_copy(). #100965
• [3.11] GH-100942: Fix incorrect cast in property_copy(). (GH-100965). #101008
• [3.10] GH-100942: Fix incorrect cast in property_copy(). (GH-100965). #101009

[mdboom]

Confirmed on 3.10, 3.11 and main.

[sobolevn]

__set_name__ part is not required for the repro:

class pro(property):
 def __new__(typ, *args, **kwargs):
 return "abcdef"

p = property.__new__(pro)
np = p.getter(lambda self: 1)

This code also crashes on 3.12

[rhettinger]

This did not fail on 3.9. Soonish, I will hunt down the offending check in. Off hand, I suspect the disasterous and now deprecated descriptor chaining logic.

[sobolevn]

Commit that introduced these lines: c56387f

[rhettinger]

Confirmed, c56387f is the culprit.